Snort mailing list archives
Re: Configuration tradeoffs
From: "Stewart L" <stewartl42 () gmail com>
Date: Wed, 27 Aug 2008 13:22:28 -0400
Overnight. It was a great webinar, BTW. :)
Here is an example of what I did...
# Global Settings
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
# Linux Web Servers
preprocessor http_inspect_server: server 192.168.100.1 profile apache ports
{ 80 8080 8180 } oversize_dir_length 500
[snip about 40 similar lines with different IP addresses.]
#Default Windows server for the rest
preprocessor http_inspect_server: server default profile iis ports { 80
8080 8180 } oversize_dir_length 500
Stewart
On Wed, Aug 27, 2008 at 1:12 PM, Joel Esler <eslerj () gmail com> wrote:
How long have you had this running? J On Aug 27, 2008, at 12:14 PM, Stewart L wrote: So, I sat through a Webinar on common mistakes made when setting up Snort. They mentioned that http_inspect needs to be configured to reduce false positives. I have my global configuration, I have my default server configuration, then I added about 40 server configuration lines for my Linux Servers. I'm seeing more packet loss since I configured all this up. Went from about 0.1% loss to more than 2%. Am I doing something incorrect here? Or is this expected? -- Stewart -- You only lose what you cling to. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler http://blog.joelesler.net http://www.dearcupertino.com [m]
-- Stewart -- You only lose what you cling to.
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Configuration tradeoffs Stewart L (Aug 27)
- Re: Configuration tradeoffs Joel Esler (Aug 27)
- Re: Configuration tradeoffs Stewart L (Aug 27)
- Re: Configuration tradeoffs Joel Esler (Aug 27)
- Re: Configuration tradeoffs Stewart L (Aug 27)
- Re: Configuration tradeoffs Joel Esler (Aug 27)
- Re: Configuration tradeoffs Stewart L (Aug 27)
- Re: Configuration tradeoffs Joel Esler (Aug 27)